Background information
- Date of final decision: 11 February 2025
- National case
- Controller: the Primary Health Care of the Capital area
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing).
- Decision: violation identified, administrative fine
- Key words: lawfulness of processing, administrative fine, sensitive data
Summary of the Decision
Origin of the case
The Icelandic Supervisory Authority (SA) initiated an investigation into the integration of medical record systems by the Primary Health Care of the Capital area (Primary Health Care) following the SA’s ruling on a complaint concerning the processing of medical records by the Transport Authority’s medical officer (case No. 2023071182). The investigation of the complaint revealed that the Primary Health Care had made an agreement with the Icelandic Transport Authority on the integration of medical record systems, which did not fulfil the requirements of national law, i.e. Act No. 55/2009 on Medical Records.
The investigation of the integration of medical records by the Primary Health Care was limited to the lawfulness of the processing.
Key Findings
The SA’s investigation revealed that the Primary Health Care had made several agreements concerning the integration of medical record systems, of which only one did meet the requirements of Act No. 55/2009 on Medical Records. In accordance with Article 20.2 of the Act, a permit by the Minister of Health is required for the integration of medical record systems, along with a conformation from the Icelandic SA concerning the security of the processing of personal data in the integrated system. As the Primary Health Care failed to comply with these requirements when integrating eleven parties into their medical records system, it failed to ensure the lawfulness of the processing (Articles 5.1 (a), 6.1 and 9.1 GDPR).
Decision
The Icelandic SA imposed a fine of 33 854 EUR (5 000 000 ISK) on the Primary Health Care of the capital Area.
For further information:
- decision in national language: Sekt á hendur Heilsugæslu höfuðborgarsvæðisins vegna vinnslu persónuupplýsinga í sameiginlegu sjúkraskrárkerfi (Icelandic)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.